If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

HOWTO: BT4 Pre-Final Full Disk Encryption

Hi all, I've been playing with the BT4 Pre-Final and my usual paranoia about my data got me wondering, how could I get full disk encryption working with BT4? Well, now that BT is based off of Ubuntu, this was easy to accomplish. If you want full disk encryption, read on.

Note that I am not writing this for a newcomer to BT, or even Linux for that matter., to follow. Therefore, if there is something you don’t understand let me direct you towards google.com now. I’ll help where I can, but I’m not explaining what a UUID is for example.

With that out of the way… unfortunately, we will need to reinstall BT from scratch so backup whatever data you need. We will also need a separate, unencrypted boot partition. I recommend popping in a gparted live cd now and partitioning you hdd as you see fit. As long as we have a boot partition and a partition for BT, we’re good.
I’m writing this guide for a single boot BT install but I have my system set up with a dual, tri or even quad boot. Thus, what I did is slightly different from the guide. You can also add encrypted swap or separate home/root partitions. The commands are essentially the same, there's just a few more of them. I'm writing this more of a basic disk encryption guide, not an encyclopaedia of how to do every type of encryption line by line.

Let’s get started. I assume you are running as root for all of these commands.

1.) OPTIONAL – The first thing to do is to fill the partition you’re about to put BT on with random data. This step is optional but it will ensure that no data is left behind. Note that this can take a very long time depending on the size of your drive.

Code:

dd if=/dev/urandom of=/dev/sdXX

Obviously, replace the sdXX with the appropriate letter and/or number. Depending on your level of paranoia you can use /dev/random which generates truly random data. This is considerably slower however and can lock up your system. Also, you can do dd if=/dev/zero… after filling the drive with random data to make it look like random data was never written to the drive. It’s all up to you and how secure you want to be.

2.) You should have you hdd partitioned already so let’s boot up the BT4 live cd. We need to load a kernel module.

Code:

modprobe aes-i586

3.) Now we’re going to encrypt the partition. Make sure you double check the block device before running this command. EVERYTHING in the partition WILL BE DELETED. I don’t think I need to discuss how to choose a good passPHRASE here (phrase, not word). It's completely pointless to encrypt everything and then choose a simple password.

Code:

cryptsetup luksFormat /dev/sdXX

If you are familiar with luks or want some more security, modify the above command to increase the key length, etc. I’m not going into that.
If you also use a swap or separate home partition, make sure you run that command on each of those if you want them encrypted. Again, this will delete all data on the specified partition.

4.) We now have our encrypted partitions set up, now we need to format them. Just fyi, an encrypted partition is like an empty container that holds a filesystem. This is why we need to format them.
So first, let’s open it so we can read it.

Code:

cryptsetup luksOpen /dev/sdXX root

The root at the end of that command is just the name I want to refer to the opened encrypted partition by. It can be anything you want and it can also be changed in your crypttab file (we’ll get to that soon).
Now that the partition is open, let’s format it as ext3. (If anyone tries ext4, let me know how it goes, I’m curious to see if it works or not.)

Code:

mkfs.ext3 –j –O extent /dev/mapper/root

As you can see, the encrypted partition we just opened is located at /dev/mapper/root (or whatever you called it). Again, just fyi, -j specifies we want a journal and –O extent makes it faster or something, I’m not sure. Gparted used that command and it’s worked out for me so far.

5.) So far so good. Now that everything is set up, run the BT installer and select /dev/mapper/root to be mounted as / and /dev/sdXX as /boot. Make sure you check the format box for /dev/mapper/root. Remember, we’re using ext3. When I was first trying this, it failed the installation if I did not tell it to format it again. I guess this kind of makes the previous step unnecessary but I feel it’s good practice to format it manually first.

You will most likely receive a fatal error dealing with grub. Ignore it and exit the installer. We’ll fix this later.

Just fyi, the reason I say to use the gui installer rather than doing a copy from the command line is simply that it would take more commands to fix what would get screwed up. However, for those that insist on installing their system via terminal, you can try the below commands. I have not tested these at all thus, I have no idea of they work or not. If you do do it this way you may skip step six. Thanks to floyd for posting the basis of these commands.

6.) Other than the grub issue, hopefully the installer completed successfully. If so, stay in the live cd; we have some more work to do. Let’s mount our new BT system and chroot to it so we can make it boot.

From here you can run apt-get update if you want. Also, they should already be installed but just to make sure you can do a “apt-get install cryptsetup initramfs-tools”. You'll get errors later if they aren't installed.

7.) Moving on, we need to edit our /etc/crypttab file. This file tells the initrd what partitions to open at boot so the system can mount them and use them.
I’m going to stick with my root name for / here.

Code:

root /dev/sdXX none luks

That’s it. If you did any other encrypted partitions, add them in here. If not, let’s move on.

8.) We now need to edit our /etc/fstab file. (I won’t explain this file, you should know.) Comment out whatever line is in there already for /. We also need to add a line for our boot partition. We want it to look like this…

9.) Almost done. We need to add a few kernel modules into the /etc/initramfs-tools/modules file. This tells what kernel modules we want loaded at boot. Add these lines to that file…

Code:

aes-i586
sha256
dm-mod
dm-crypt

I don't believe these are all necessary but it doesn't hurt to have them in there.

10.) Update your initrd file to represent the changes we just made.

Code:

update-initramfs –k all –c

I get an error when it tries to create an initrd file for kernel 2.6.29.3 but BT4 comes with 2.6.29.4 so as long as you get no errors on the initrd for 2.6.29.4 you should be good. It may take a few seconds to do this.

You can find the UUID of your boot partition by running “blkid /dev/sdXX”. Note that since we have a separate boot partition all paths are relative to / instead of /boot.
Now we install grub to the drive…

Code:

grub-install /dev/sdX

Note on the grub-install command, the end /dev/sdX is the drive, not the boot partition (eg, /dev/sda, not /dev/sda1).
If you recieve the error "/dev/sdX does not have any corresponding BIOS devices" pivot back to the live cd and run this...

Code:

grub-install --root-directory=/mnt/root/ /dev/sdX

Also note that I am using a slightly different set up on my system so I haven’t tested this step line by line personally; let me know if it doesn’t work exactly as I’ve written it. If you are doing a different setup, such as dual boot with another Linux distro, here’s your warning to watch very carefully what BT grub files you allow in your boot partition. You only need the kernel and the initrd file. I wasn’t paying attention to this and spent hours fixing grub errors that I had never encountered before.

Alright. Pivot back to the live cd (type exit) and unmount /mnt/root/boot and /mnt/root and reboot. When BT starts it should ask you for a passphrase and continue booting. Good luck!

I really don’t deserve credit for making this all work. I followed this guide from the Linux Mint forums and just made a few changes to get it working.

Thanks for the positive feedback. I'm interested in hearing if anyone else gets it working or not.

I'm currently working on encrypting the live cd / usb version of BT4. As I'm trying this, it's slowly booting up on my netbook. If I get it working, I'll make another how to as the process is significantly different (it requires some initrd hacking). Another challenge is to encrypt the changes made to the usb version...

EDIT: I have filesystem.squashfs encrypted and booting up. It seems like the boot time is slightly slower than its unencrypted counterpart (I'm talking about thirty seconds here). Changes are also working but those aren't encrypted yet. I'm trying different ways to encrypt them but keep getting kernel panics during boot. Again, I'll write a how to if/when I get it working.

Encrypting all your data is cool and all but I have one little question:

How does it affect performance? Is disk access notably slower?

If disc access is the same speed, or within 3% of the same speed, I'd definitely get this going.

Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

Encrypting all your data is cool and all but I have one little question:

How does it affect performance? Is disk access notably slower?

If disc access is the same speed, or within 3% of the same speed, I'd definitely get this going.

I've been running all my systems under luks-based full disk encryption for some time now. On my main desktop system I run compiz and play full HD videos at the same time as I have my typical twenty other Firefox, Nautilus and terminal windows open, and this all runs (noticeably) at the same speed as if it unencrypted.

As for BT, I haven't noticed any difference at all so far. But then again, I haven't compared john, aircrack, etc speeds with an unencrypted system yet (it's on my list). I would recommend trying this out on a spare drive or such and seeing if the performance is up to par for you. Encryption certainly makes disk access slower and increases cpu cycles; I'm interested in knowing if it's noticeable for anyone.

Thanks for the positive feedback. I'm interested in hearing if anyone else gets it working or not.

Thanks for the tutorial, it's great.

I tried it and added an encrypted swap partition. I know there is the possibility to type in the password only once (and not for root partition and swap partition). But it didn't work for me and i was too lazy to try again, so I have to type it in twice now. I think the difference is I have 2 encrypted containers (real partitions) and not 1 encrypted container with 2 partitions.

I don't have time to fix it this week and didn't put in much effort, but on my first try I couldn't start kde and the root partition was mounted read only. And as usual there is the modules.dep issue.

Yes I was a lazy bastard last week hopefuly I can fix these things next week and give some more feedback

I tried it and added an encrypted swap partition. I know there is the possibility to type in the password only once (and not for root partition and swap partition). But it didn't work for me and i was too lazy to try again, so I have to type it in twice now. I think the difference is I have 2 encrypted containers (real partitions) and not 1 encrypted container with 2 partitions.

I don't have time to fix it this week and didn't put in much effort, but on my first try I couldn't start kde and the root partition was mounted read only. And as usual there is the modules.dep issue.

Yes I was a lazy bastard last week hopefully I can fix these things next week and give some more feedback

One of the pitfalls with encrypting multiple drives/partitions is that you need to enter the password for each of them at boot even it is the same for all of them. (Someone once told me you could circumvent this and only be required to enter it once by using an LVM but I've never investigated that.)

As for encrypyting a swap partition, you could use a keyfile to auto-mount it. Nothing is saved in it so it doesn't pose a security risk. A quick, example crypttab file I just typed up can be seen below.

This guide can explain how to set up an encrypted swap much better than I could.

As for it not working for you, a good place to start troubleshooting would be to post your crypttab and fstab files. I might be able to help.

If anyone is following my updates with encrypting the live cd / usb version of BT4, I've figured out how to encrypt the filesystem.squashfs file and the changes partition so it is still persistent. I have a few more things to test out and I need to go back and clean up the code I put in the initrd then I'll write a how to for it. I have yet to hear anyone express any interest in this so it isn't at the top of my priority list; I'm just taking my time.

If anyone is following my updates with encrypting the live cd / usb version of BT4, I've figured out how to encrypt the filesystem.squashfs file and the changes partition so it is still persistent. I have a few more things to test out and I need to go back and clean up the code I put in the initrd then I'll write a how to for it. I have yet to hear anyone express any interest in this so it isn't at the top of my priority list; I'm just taking my time.

Thanks for the great tutorial. And I am definitely interested in your USB how-to once you've got the wrinkles ironed out.